IBM Security Verify

 View Only

  • 1.  Federation module, acting as SP : how to get more information about errors ?

    IBM Champion
    Posted Fri November 09, 2018 06:20 AM
    Edited by André Leruitte Fri November 09, 2018 06:23 AM
    Hello everybody,

    We are running into a limitation using the Federation Module (ISAM 9.0.5 IF1) for customizing user error pages after a failed authentication.

    We are using federation as a SP linked to LuxTrust IDP. We have identified at least 2 particular use cases where we are unable to have a user friendly error page :
    - When user takes too long to finish the authentication on the IDP
    - When user cancels the authentication on the IDP side

    On these both cases, IDP sends us back a SAML response notifying that the authentication failed with a precise reason inside (e.g. "user manually canceled")

    We already customized the default federation error page templates so we have something a bit more user friendly but for these two cases (and other errors), but we have no way to displaying something else than " An error has occurred during the authentication".


    We would love to have a way to get some sort of access to the attributes of the SAML response received by the federation module when we are in the error template page (via macros or via some sort of server side scripting?), so we could handle the error in a much more friendlier way (for example displaying "The authentication process took too long, please start again" or in the case the user canceled automatically start the authentication process again).

    Is there any known way to achieve this ?

    Thanks for any tip that could help us improving the error handling of failed authentications.

    ------------------------------
    André Leruitte
    ------------------------------


  • 2.  RE: Federation module, acting as SP : how to get more information about errors ?

    Posted Mon November 12, 2018 12:56 AM
    Hi André,

    You could try and retrieve the "@SAMLSTATUS@" macro using server side scripting.

    The "@SAMLSTATUS@" macro value

    <fim:FIMStatusCollection xmlns:fim="urn:ibm:names:ITFIM:saml" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><fim:FIMStatusCollectionEntry><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://www.myidp.ibm.com/isam/sps/saml20idp/saml20</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"></samlp:StatusCode><samlp:StatusDetail><fim:FIMStatusDetail MessageID="could_not_perform_token_exchange"></fim:FIMStatusDetail></samlp:StatusDetail></samlp:Status></fim:FIMStatusCollectionEntry></fim:FIMStatusCollection>

    Server side script at the template page.

    <%
    var statusXML = templateContext.macros["@SAMLSTATUS@"];
    var regex = /MessageID="\w+/g;
    var error= statusXML.match(regex);
    var customError = "The user has cancelled the SSO flow";
    %>

    This will retrieve the MessageID from the macro.

    Based on the error message you can choose to display a suitable error message by adding the following server side snippet.

    <div id="detailDiv" >
    <h4>Error details</h4>
    <%=customError%>
    </div>

    I hope this helps.​

    ------------------------------
    Sumana Narasipur
    ------------------------------

    Original Message


  • 3.  RE: Federation module, acting as SP : how to get more information about errors ?

    Posted Mon November 12, 2018 09:08 PM
    Hi André,

    As Sumana mentioned in the Comment 2 above, we can use server side JS template mapping to achieve this type of error page customization.
    Just to add one minor note, the example of Macro @SAMLSTATUS@ with value contains following string <fim:FIMStatusDetail MessageID="could_not_perform_token_exchange"></fim:FIMStatusDetail> is based on SAML response generated from ISAM IdP; if LuxTrust IDP is not using ISAM, the @SAMLSTATUS@ Macro value received at ISAM SP for your case might be different, hence the server side JS code need to changed accordingly to be able to extract the relevant error message from it; and @SAMLSTATUS@ could also possible carry successful message for successful SSO flow, hence it would be better for the server side JS rule to handle the successful @SAMLSTATUS@ as well.



    ------------------------------
    Yongming Chen
    ------------------------------

    Original Message


  • 4.  RE: Federation module, acting as SP : how to get more information about errors ?

    IBM Champion
    Posted Tue November 13, 2018 01:37 AM
    Hi Chen and Sumana,

    Thank you for your tips, it seems to be exactly what I was looking for.

    At the moment, we just installed 9.0.5 IF1 fixpack (that breaks the error template pages), but as soon as a fix will be available to us, we will test what you both suggested.

    ------------------------------
    André Leruitte
    ------------------------------

    Original Message


  • 5.  RE: Federation module, acting as SP : how to get more information about errors ?

    IBM Champion
    Posted Fri March 29, 2019 08:46 AM
    Hi,

    Just a quick update on this. Now that we upgraded to ISAM 9.0.6 we finally took the time to test what was suggested by you.

    It works as advertised, we are now able to detect much more precisely the error type and display specific message and/or take specific actions as needed.


    Thank you very much for your tips!

    ------------------------------
    André Leruitte
    ------------------------------

    Original Message


  • 6.  RE: Federation module, acting as SP : how to get more information about errors ?

    Posted Sat March 30, 2019 09:58 AM
    Hi André,

    Glad to hear that.

    ------------------------------
    Sumana Narasipur
    ------------------------------

    Original Message


  • 7.  RE: Federation module, acting as SP : how to get more information about errors ?

    Posted Thu April 29, 2021 06:54 AM
    Hi Andre,

    Is it possible to share the template SAM_Post file  we also have this requirement and tried multiple still not able to achieve it

    ------------------------------
    Rahul Verma
    ------------------------------

    Original Message


  • 8.  RE: Federation module, acting as SP : how to get more information about errors ?

    IBM Champion
    Posted Thu April 29, 2021 07:22 AM
    Hi Rahul,

    For retrieving the details of the saml error we did nothing more than what was suggested here before.

    We added at the top of the template authn_failed.html the following:
    <%
var statusXML = templateContext.macros["@SAMLSTATUS@"];

var hasErrorAuthCanceledByUser = statusXML.includes("LTEC_856084");

var customErrorMessage = "";
if (hasErrorAuthCanceledByUser) customErrorMessage = "i18n.auth.error.authn_canceled";
else customErrorMessage = "";
%>​


    We then display the field somewhere in the html:

    <div id="additionalDetail"><%=customErrorMessage%></div>



    In this particular case we also initiate a changeLocation on an iFrame but that's specific to our integration with the third party IDP.

    ------------------------------
    André Leruitte
    ------------------------------

    Original Message